Routing

Can anyone give a complete explanation of step 3 in KB7052?

The question is exactly what I am trying to do. I have a network of 172.23.1.0 defined on port 1 of a Netscreen 25. I have a network of 172.24.1.0 defined on port 4. Both are set to NAT. I would like devices on port 1 to be able to communicate with devices on port 4. They are both in the Trust zone. It looks like they should be able to route to each other via the trust-vr, but they do not. 

This KB suggests that there is one more step, but I am new to Juniper and do not understand it.

I would recommend taking a look at the ScreenOS Concepts and Examples Guide which breaks down DIP, MIP, and  VIP pretty well.

In a nutshell:

DIP is used for outbound traffic and uses NAT-src

MIP is for bidirectinoal traffic

VIP is for inbound traffic and uses PAT

Wait a minute: two interface in the trust zone, why NAT the traffic? It should be routed!

Please check the following:

Have you configured a global policy?

If so create an intra zone policy in trust, so from trust to trust. in cli set pol from trust to trust any any any permit

If no global policy exists: make sure intrazone block is off in the trust zone. In cli: unset zone trust block.

If anyone start to think what is screenie talking about with the global policy: Using global policies overwrites the intrazone block setting.

Of course devices on both networks must use the firewall as gateway.

BTW: NS25: very very very old device...........

Hi Screenie,

Thanks for your reply. When you say that both must use the firewall for a gateway, do you mean they must use a common IP address?

What I currently have is 172.23.1.0/24 on interface 1 and 172.24.1.0/24 on interface 4. All clients connected to interface 1 have a gateway IP of 172.23.1.1 and all clients on interface 4 have a gateway IP of 172.24.1.1. All clients on both interfaces can access the Internet which is connected on interface 3.

I did a 'get zone trust' and it says:

Intra-zone block: Off, attrib: Non-shared, flag:0x6208.

I entered the set policy command but still I do not seem to be able to connect/browse/ping any devices between interfaces. Is the gateway the issue?

Regards,

--MikeO

Hi.

The routing you configured is what I meant. Can you do the following debug session:

set ff dst-ip <ip to ping to>

debug flow basic

clear db

Ping from one net to the other

undebug all

get db stream

Hi Screenie,

I attempted to ping 172.24.1.39 from 172.23.1.12

Here are the debug results:

****** 7589030.0: <Trust/ethernet1> packet received [60]******
  ipid = 32525(7f0d), @c7d0f110
  packet passed sanity check.
  ethernet1:172.23.1.12/44306->172.24.1.39/768,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet1>, out <N/A>
  chose interface ethernet1 as incoming nat if.
  flow_first_routing: in <ethernet1>, out <N/A>
  search route to (ethernet1, 172.23.1.12->172.24.1.39) in vr trust-vr for vsd-0
/flag-0/ifp-null
  [ Dest] 13.route 172.24.1.39->0.0.0.0, to ethernet4
  routed (x_dst_ip 172.24.1.39) from ethernet1 (ethernet1 in 0) to ethernet4
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 172.
24.1.39, port 40265, proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 31
  No src xlate   choose interface ethernet4 as outgoing phy if
  no loop on ifp ethernet4.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet1>, out <ethernet4>
  existing vector list 1-3f9abe0.
  Session (id:31651) created for first pak 1
  flow_first_install_session======>
  route to 172.24.1.39
  arp entry found for 172.24.1.39
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet4, 172.24.1.39->172.23.1.12) in vr trust-vr for vsd-0
/flag-3000/ifp-ethernet1
  [ Dest] 1.route 172.23.1.12->0.0.0.0, to ethernet1
  route to 172.23.1.12
  flow got session.
  flow session id 31651
  post addr xlation: 172.23.1.12->172.24.1.39.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 7589036.0: <Trust/ethernet4> packet received [81]******
  ipid = 2787(0ae3), @c7d78110
  packet passed sanity check.
  ethernet4:172.24.1.39/54228->8.8.8.8/53,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet4>, out <N/A>
  chose interface ethernet4 as incoming nat if.
  flow_first_routing: in <ethernet4>, out <N/A>
  search route to (ethernet4, 172.24.1.39->8.8.8.8) in vr trust-vr for vsd-0/fla
g-0/ifp-null
  [ Dest] 9.route 8.8.8.8->X.X.185.161, to ethernet3.2
  routed (x_dst_ip 8.8.8.8) from ethernet4 (ethernet4 in 0) to ethernet3.2
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 8.8.
8.8, port 53, proto 17)
  No SW RPC rule match, search HW rule
  Permitted by policy 6
  choose interface ethernet3.2 as outgoing phy if
  no loop on ifp ethernet3.2.
  session application type 16, name DNS, nas_id 0, timeout 60sec
ALG vector is attached
  service lookup identified service 16.
  flow_first_final_check: in <ethernet4>, out <ethernet3.2>
  existing vector list 281-405f190.
  Session (id:31326) created for first pak 281
  flow_first_install_session======>
  route to X.X.185.161
  arp entry found for X.X.185.161
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet3.2, 8.8.8.8->172.24.1.39) in vr trust-vr for vsd-0/f
lag-3000/ifp-ethernet4
  [ Dest] 13.route 172.24.1.39->0.0.0.0, to ethernet4
  route to 172.24.1.39
  flow got session.
  flow session id 31326
  update policy out counter info.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 7589036.0: <Trust/ethernet4> packet received [119]******
  ipid = 2788(0ae4), @c7d78910
  packet passed sanity check.
  ethernet4:172.24.1.39/58773->8.8.8.8/53,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet4>, out <N/A>
  chose interface ethernet4 as incoming nat if.
  flow_first_routing: in <ethernet4>, out <N/A>
  search route to (ethernet4, 172.24.1.39->8.8.8.8) in vr trust-vr for vsd-0/fla
g-0/ifp-null
  [ Dest] 9.route 8.8.8.8->X.X.185.161, to ethernet3.2
  routed (x_dst_ip 8.8.8.8) from ethernet4 (ethernet4 in 0) to ethernet3.2
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 8.8.
8.8, port 53, proto 17)
  No SW RPC rule match, search HW rule
  Permitted by policy 6
  choose interface ethernet3.2 as outgoing phy if
  no loop on ifp ethernet3.2.
  session application type 16, name DNS, nas_id 0, timeout 60sec
ALG vector is attached
  service lookup identified service 16.
  flow_first_final_check: in <ethernet4>, out <ethernet3.2>
  existing vector list 281-405f190.
  Session (id:31973) created for first pak 281
  flow_first_install_session======>
  route to X.X.185.161
  arp entry found for X.X.185.161
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet3.2, 8.8.8.8->172.24.1.39) in vr trust-vr for vsd-0/f
lag-3000/ifp-ethernet4
  [ Dest] 13.route 172.24.1.39->0.0.0.0, to ethernet4
  route to 172.24.1.39
  flow got session.
  flow session id 31973
  update policy out counter info.
 flow_send_vector_, vid = 0, is_layer2_if=0

****** 7589040.0: <Trust/ethernet4> packet received [68]******
  ipid = 2800(0af0), @c7d79910
  packet passed sanity check.
  ethernet4:172.24.1.39/57677->8.8.8.8/53,17<Root>
  no session found
  flow_first_sanity_check: in <ethernet4>, out <N/A>
  chose interface ethernet4 as incoming nat if.
  flow_first_routing: in <ethernet4>, out <N/A>
  search route to (ethernet4, 172.24.1.39->8.8.8.8) in vr trust-vr for vsd-0/fla
g-0/ifp-null
  [ Dest] 9.route 8.8.8.8->X.X.185.161, to ethernet3.2
  routed (x_dst_ip 8.8.8.8) from ethernet4 (ethernet4 in 0) to ethernet3.2
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 8.8.
8.8, port 53, proto 17)
  No SW RPC rule match, search HW rule
  Permitted by policy 6
  choose interface ethernet3.2 as outgoing phy if
  no loop on ifp ethernet3.2.
  session application type 16, name DNS, nas_id 0, timeout 60sec
ALG vector is attached
  service lookup identified service 16.
  flow_first_final_check: in <ethernet4>, out <ethernet3.2>
  existing vector list 281-405f190.
  Session (id:30733) created for first pak 281
  flow_first_install_session======>
  route to X.X.185.161
  arp entry found for X.X.185.161
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet3.2, 8.8.8.8->172.24.1.39) in vr trust-vr for vsd-0/f
lag-3000/ifp-ethernet4
  [ Dest] 13.route 172.24.1.39->0.0.0.0, to ethernet4
  route to 172.24.1.39
  flow got session.
  flow session id 30733
  update policy out counter info.
 flow_send_vector_, vid = 0, is_layer2_if=0

Thanks for any insight you can offer.

--MikeO

Hi Screenie,

I did some reading about the debug log. From what I could see the ping command was getting to the right policy, so it should have been working. I got back on the network and tried to ping the switch in the 172.24.1.0 network instead of the laptop I was using to test. Pinging to and from the switch worked!

I took a different laptop and tried it. That also worked. There was apparently a problem with the TCP/IP configuration of the laptop with which I did my original tests. Your solution worked.

Thanks,

--MikeO